TYPO3 Open Source CMS Tackles XSS Vulnerability
Bug caused by a parsing issue in the upstream package
The makers of the venerable open-source content management system (CMS) TYPO3 have patched a cross-site scripting (XSS) flaw with a series of software updates.
The PHP package typo3/html-sanitizer’s XSS mechanism was bypassed due to a parsing issue in the masterminds/html5 upstream package that “malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized,” explained a GitHub advisory posted on Tuesday (Sept. 13).
The issue has been fixed in typo3/cms-core versions 7.6.58, 8.7.48, 9.5.37, 10.4.32 and 11.5.16. All earlier versions of these release lines are affected.
DO NOT MISS WordPress WPHash project collects 75 million hashes to detect vulnerable plugins
With user interaction required, the bug is classified as moderate severity, with a CVSS score of 6.1.
Nevertheless, even with a modest market share, TYPO3 represents a large number of active installations.
Launched in 1997, the free CMS holds 2.43% of the CMS market, which translates to over 230,000 customers, 46% of which are based in Germany.
The TYPO3 association, which has about 900 members, funds the development through donations and subscriptions.
Credit for finding bugs goes to security researcher David Klein, while Olivier HaderTYPO3 Security Team Leader and Core Developer, developed the patch.
RECOMMENDED Six-Year-Old SSRF Indiscriminate Vulnerability in WordPress Core Feature Could Allow DDoS Attacks